hijackloader | 285493c54c35e3b571e28fc0816baa4b3833329eeec3649601dd6385a60c8d84

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07-05-2024 10:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5aa49622f3dafc184f903b7b78a2fd68.exe
Size

8.4MB
MD5

5aa49622f3dafc184f903b7b78a2fd68
SHA1

28fd3345d82da0cdb565a11c648aff196f03d770
SHA256

285493c54c35e3b571e28fc0816baa4b3833329eeec3649601dd6385a60c8d84
SHA512

fa7c3e619eb64355927fe4fe9ce925abba4c185b85816589a8e3bdf3ca7f0e73bb6c0ca939aa3699b29085f6d694eaf90f2224446156b80839d960a997b64d6d
SSDEEP

98304:YajcsQ5SggQZWfV1bihqdq7mXxUHp/nIaWl49u8cSu+A05TeKY7:cs3amByp/IpS9ASu+K

Score

10^/10

hijackloader stealc loader spyware stealer

Malware Config

Extracted

Family

stealc

http://193.163.7.82

Attributes

url_path
/722c81812703a73d.php

Signatures

Detects HijackLoader (aka IDAT Loader) 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3704-1-0x0000000000400000-0x0000000000C87000-memory.dmp	family_hijackloader

HijackLoader
HijackLoader is a multistage loader first seen in 2023.
loader hijackloader
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Downloads MZ/PE file
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2384 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

ptInst.exeptInst.exe

pid process

1256 ptInst.exe
760 ptInst.exe

pid	process
2384	cmd.exe

Loads dropped DLL 10 IoCs

Processes:

ptInst.exeptInst.exeexplorer.exe

pid	process
1256	ptInst.exe
1256	ptInst.exe
1256	ptInst.exe
1256	ptInst.exe
760	ptInst.exe
760	ptInst.exe
760	ptInst.exe
760	ptInst.exe
4012	explorer.exe
4012	explorer.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Suspicious use of SetThreadContext 1 IoCs

Processes:

ptInst.exe

description pid process target process

PID 760 set thread context of 2384 760 ptInst.exe cmd.exe

description	pid	process	target process
PID 760 set thread context of 2384	760	ptInst.exe	cmd.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

5052 timeout.exe

pid	process
5052	timeout.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

5aa49622f3dafc184f903b7b78a2fd68.exeptInst.exeptInst.execmd.exeexplorer.exe

pid	process
3704	5aa49622f3dafc184f903b7b78a2fd68.exe
3704	5aa49622f3dafc184f903b7b78a2fd68.exe
1256	ptInst.exe
760	ptInst.exe
760	ptInst.exe
2384	cmd.exe
2384	cmd.exe
4012	explorer.exe
4012	explorer.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

ptInst.execmd.exe

pid process

760 ptInst.exe
2384 cmd.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

5aa49622f3dafc184f903b7b78a2fd68.exe

pid process

3704 5aa49622f3dafc184f903b7b78a2fd68.exe
3704 5aa49622f3dafc184f903b7b78a2fd68.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

5aa49622f3dafc184f903b7b78a2fd68.exe

pid process

3704 5aa49622f3dafc184f903b7b78a2fd68.exe
3704 5aa49622f3dafc184f903b7b78a2fd68.exe

pid	process
760	ptInst.exe
2384	cmd.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

5aa49622f3dafc184f903b7b78a2fd68.exeptInst.exeptInst.execmd.exeexplorer.execmd.exe

description	pid	process	target process
PID 3704 wrote to memory of 1256	3704	5aa49622f3dafc184f903b7b78a2fd68.exe	ptInst.exe
PID 3704 wrote to memory of 1256	3704	5aa49622f3dafc184f903b7b78a2fd68.exe	ptInst.exe
PID 3704 wrote to memory of 1256	3704	5aa49622f3dafc184f903b7b78a2fd68.exe	ptInst.exe
PID 1256 wrote to memory of 760	1256	ptInst.exe	ptInst.exe
PID 1256 wrote to memory of 760	1256	ptInst.exe	ptInst.exe
PID 1256 wrote to memory of 760	1256	ptInst.exe	ptInst.exe
PID 760 wrote to memory of 2384	760	ptInst.exe	cmd.exe
PID 760 wrote to memory of 2384	760	ptInst.exe	cmd.exe
PID 760 wrote to memory of 2384	760	ptInst.exe	cmd.exe
PID 760 wrote to memory of 2384	760	ptInst.exe	cmd.exe
PID 2384 wrote to memory of 4012	2384	cmd.exe	explorer.exe
PID 2384 wrote to memory of 4012	2384	cmd.exe	explorer.exe
PID 2384 wrote to memory of 4012	2384	cmd.exe	explorer.exe
PID 2384 wrote to memory of 4012	2384	cmd.exe	explorer.exe
PID 4012 wrote to memory of 3660	4012	explorer.exe	cmd.exe
PID 4012 wrote to memory of 3660	4012	explorer.exe	cmd.exe
PID 4012 wrote to memory of 3660	4012	explorer.exe	cmd.exe
PID 3660 wrote to memory of 5052	3660	cmd.exe	timeout.exe
PID 3660 wrote to memory of 5052	3660	cmd.exe	timeout.exe
PID 3660 wrote to memory of 5052	3660	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\5aa49622f3dafc184f903b7b78a2fd68.exe
"C:\Users\Admin\AppData\Local\Temp\5aa49622f3dafc184f903b7b78a2fd68.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3704

C:\Users\Admin\AppData\Local\Temp\supernotepad_x86\ptInst.exe
C:\Users\Admin\AppData\Local\Temp\supernotepad_x86\ptInst.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1256

C:\Users\Admin\AppData\Roaming\supernotepad_x86\ptInst.exe
C:\Users\Admin\AppData\Roaming\supernotepad_x86\ptInst.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
4⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2384

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
5⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4012

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Windows\SysWOW64\explorer.exe" & del "C:\ProgramData\*.dll"" & exit
6⤵
- Suspicious use of WriteProcessMemory
PID:3660

C:\Windows\SysWOW64\timeout.exe
timeout /t 5
7⤵
- Delays execution with timeout.exe
PID:5052

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll
Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Temp\8d6918fb
Filesize
863KB

MD5
425e307356e2ed5c6a41867e60f44529

SHA1
3b9b7dc7963295bd4fca46c208219aa2eca04812

SHA256
d1923056887e009a05736112ff82070a3237c30b8f945f963629e419d92521c9

SHA512
ad8264c918281a402763dcf06082d4213c35f4210bf02ab6468ae62b0eb2f4c178fd6e1b6d11849489bfb0ebc5a426d22077839f7ce3e7842933cc33fbfa6571

Download Submit
C:\Users\Admin\AppData\Local\Temp\supernotepad_x86\autunite.vcf
Filesize
19KB

MD5
8240c2b1b55106bce4b205de628ca628

SHA1
202d7f1d9c2756a195411f29bedc06d574088c8f

SHA256
37702dbbd99aea78164d61af4d577764bb0ea358edb1fa097f40e9a9c5039d82

SHA512
5a1204170fed5c46572f9b41626d66225a18f701642b3b804f1005800af43d4f00388530a0a121381d42fd3f68f4e479e978c339ec11b241b2be1b1aafe6209a

Download Submit
C:\Users\Admin\AppData\Local\Temp\supernotepad_x86\msvcp140.dll
Filesize
427KB

MD5
71a0aa2d05e9174cefd568347bd9c70f

SHA1
cb9247a0fa59e47f72df7d1752424b33a903bbb2

SHA256
fdb3d86c512adff90967cb860d02a4682850ab96727f0376e4d4836504c50e47

SHA512
6e65520528facaa4058720eb16d6bfdcc7bb36923b7e8e6551f3526709f0fabafab123999e618438e6abe7efed4a1332547cfc988f2b24b0e3d91198b95a911a

Download Submit
C:\Users\Admin\AppData\Local\Temp\supernotepad_x86\ptInst.exe
Filesize
938KB

MD5
b15bac961f62448c872e1dc6d3931016

SHA1
1dcb61babb08fe5db711e379cb67335357a5db82

SHA256
bf1a0c67b433f52ebd304553f022baa34bfbca258c932d2b4b8b956b1467bfa5

SHA512
932119f7dc6710239481c80ad8baaed5c14a2085fcc514b6522671b1a4ebbaf488e43453f11d5aaf6dcef7a245db8de44d93ff255f7cf8385b7d00f31f2cc370

Download Submit
C:\Users\Admin\AppData\Local\Temp\supernotepad_x86\truancy.mp3
Filesize
621KB

MD5
6d7397b107945d59f070f46dfeb0114f

SHA1
56f8f27680953eb87e6301d860c066f3699a2492

SHA256
77b4ac6b13188c9c69717b2199ca9e844e0c32e15a61c538c6908d05994eeade

SHA512
073349e96484315696fdb4fe26aa2c932a3eb18030253d1ac804201a41b2f9bc2c088994e7a09407b902a3f02e230cbab28669753a027bc4cb2ce28298cc75a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\supernotepad_x86\vcruntime140.dll
Filesize
81KB

MD5
16b26bc43943531d7d7e379632ed4e63

SHA1
565287de39649e59e653a3612478c2186096d70a

SHA256
346f72c9a7584c2ab6ce65cd38a616c77ebddc0bbab2274c4e89dd5e62237517

SHA512
b5b7b4b8c5ab4276a34956e43f586272b1803ec3609253fee1bcc0a549aed7ba11d47404b023f7b67af701726bab95cca55738e7bd5bca272eca5ac71bb418cc

Download Submit
C:\Users\Admin\AppData\Roaming\supernotepad_x86\WCLDll.dll
Filesize
590KB

MD5
ff7cf8ca0936fb896cb3cad4ef58562b

SHA1
4772f1a6e8445f375ca26969702ae3b3d63d9e2b

SHA256
3155a2327a00e2c9c5d9da09973cbf05aae4ffec1cc3f0f2f0b58a4eb6b2f55e

SHA512
fd993601f208a8475b0d4538b96790e31d6131da9682a912d99211ac55d4e22486ee65506ed9a5ab3ccb7e4a5fff6133982836abeda15a119ea7eaaaef86f3ad

Download Submit
memory/760-52-0x00007FFE4A330000-0x00007FFE4A525000-memory.dmp

Filesize
2.0MB

Download
memory/760-51-0x00000000749E0000-0x0000000074B5B000-memory.dmp

Filesize
1.5MB

Download
memory/760-53-0x00000000749E0000-0x0000000074B5B000-memory.dmp

Filesize
1.5MB

Download
memory/760-56-0x00000000749E0000-0x0000000074B5B000-memory.dmp

Filesize
1.5MB

Download
memory/1256-32-0x00007FFE4A330000-0x00007FFE4A525000-memory.dmp

Filesize
2.0MB

Download
memory/1256-31-0x00000000749E0000-0x0000000074B5B000-memory.dmp

Filesize
1.5MB

Download
memory/2384-60-0x00007FFE4A330000-0x00007FFE4A525000-memory.dmp

Filesize
2.0MB

Download
memory/2384-59-0x00000000749E0000-0x0000000074B5B000-memory.dmp

Filesize
1.5MB

Download
memory/2384-65-0x00000000749E0000-0x0000000074B5B000-memory.dmp

Filesize
1.5MB

Download
memory/2384-61-0x00000000749E0000-0x0000000074B5B000-memory.dmp

Filesize
1.5MB

Download
memory/3704-54-0x00000000749E0000-0x0000000074B5B000-memory.dmp

Filesize
1.5MB

Download
memory/3704-2-0x00000000749E0000-0x0000000074B5B000-memory.dmp

Filesize
1.5MB

Download
memory/3704-5-0x00000000749E0000-0x0000000074B5B000-memory.dmp

Filesize
1.5MB

Download
memory/3704-4-0x00000000749F2000-0x00000000749F4000-memory.dmp

Filesize
8KB

Download
memory/3704-3-0x00007FFE4A330000-0x00007FFE4A525000-memory.dmp

Filesize
2.0MB

Download
memory/3704-0-0x00000000012B0000-0x00000000012B1000-memory.dmp

Filesize
4KB

Download
memory/3704-7-0x00000000749E0000-0x0000000074B5B000-memory.dmp

Filesize
1.5MB

Download
memory/3704-18-0x00000000749E0000-0x0000000074B5B000-memory.dmp

Filesize
1.5MB

Download
memory/3704-1-0x0000000000400000-0x0000000000C87000-memory.dmp

Filesize
8.5MB

Download
memory/3704-19-0x00000000749E0000-0x0000000074B5B000-memory.dmp

Filesize
1.5MB

Download
memory/4012-63-0x0000000000480000-0x00000000006BD000-memory.dmp

Filesize
2.2MB

Download
memory/4012-68-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/4012-110-0x0000000000480000-0x00000000006BD000-memory.dmp

Filesize
2.2MB

Download
memory/4012-66-0x0000000000480000-0x00000000006BD000-memory.dmp

Filesize
2.2MB

Download
memory/4012-64-0x00007FFE4A330000-0x00007FFE4A525000-memory.dmp

Filesize
2.0MB

Download
memory/4012-129-0x0000000000480000-0x00000000006BD000-memory.dmp

Filesize
2.2MB

Download